Hi, BTW, one other piece of possible information: We found that if we put all the PEMs for the CRLs into one big file and then used the SSLCACertificateRevocationFile directive instead of the SSLCACertificateRevocationPath directive and the hashes in the directory, then we don't get the Error 12/Expired CRL errors. Jim -------------------------------------------- On Mon, 3/7/16, o haya <ohaya@xxxxxxxxx.INVALID> wrote: Subject: SSL/CRL Problem - Error 12 (Expired) To: users@xxxxxxxxxxxxxxxx Cc: ohaya@xxxxxxxxx Date: Monday, March 7, 2016, 8:43 PM Hi, I'm not sure if I should post this to the openssl mailing list or here, but thought that it'd make sense to start here. If that is not appropriate, please let me know? Anyway, we are upgrading some of our Apache instance to 2.4.16 (on Redhat), and we are encountering a strange problem with SSL and CRLs. Our websites are configured for SSL client authentication with CRLs in a directory pointed to by SSLCACertificateRevocationPath and SSLCARevocationCheck set to "chain". We then place our CRLs in the directory and create the hashes for them. However, when we tried to upgrade one of our production instances the requests are failing and, in the error logs, we are seeing the following messages: [ssl.debug] [pid 4866] ssl_engine_kernel.c: [client 10.10.10.10-xxxx] Certificate Verification, depth 1, CRL checking mode: chain [subject: CN=CA4,OU=branch,.... / issuer: CN=Root 3,OU=branch,... / serial: 86 / notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] [ssl.info] [pid 4866] [client 10.10.10.10-xxxx] Certificate Verification: Error (12): CRL has expired [subject: CN=CA4,OU=branch,... / issuer: CN=Root 3,... / serial: 86 / notbefore: Aug 1 00:00:00 2013 GMT / notafter: Aug 1 00:00:00 2021 GMT] We checked all of the CRL files and they are all within their validity periods. The thing is that we have not been able to replicate this problem in our test environment, when we try to re-create a similar PKI heirarchy, so we (or I) suspect that there may be something going on with either the CRLs or cert files that we are getting from the CAs (but recall that these same CRLs worked with older Apache. So I was wondering: If there is any known situations where that "Error 12" would be logged, but where the problem was being cause by something other than the CRL files actually being expired? As I said, this might be more of an openssl question? Thanks in advance, Jim --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|